Agentic security staff for Hermes Agent, distributed as a reproducible overlay of profiles, prompts, templates, and operating policies.
This repository is not a Hermes fork. MiniCISO is a public overlay installed on top of a Hermes runtime pinned by version and commit in
config/hermes-version.env.
MiniCISO packages a reusable security operating model around Hermes:
- a
chief-of-staffcoordinator for intake, routing, synthesis, and QA enforcement; - specialized security SMEs for threat modeling, architecture, code review, AppSec, compliance, offensive validation, recon, and QA;
- evidence-driven workflows with explicit gates for finding validation and post-submission follow-up.
It is designed to help a human operator run structured security engagements more consistently. It does not replace human authorization, judgment, or accountable decision-making.
git clone https://github.com/icidade/miniCISO.git
cd miniCISO
.\scripts\bootstrap.ps1git clone https://github.com/icidade/miniCISO.git
cd miniCISO
./scripts/bootstrap.shThe bootstrap restores the pinned Hermes runtime, creates the MiniCISO profile set, installs the overlay prompts and templates, prepares the shared workspace, and runs structural checks.
Credentials requested by hermes setup stay in the user's Hermes environment. They are never copied into this repository.
MiniCISO ships the following public profile set:
chief-of-staffsecurity-threat-modelingsecurity-architecturesecurity-code-reviewsecurity-appsec-assessmentsecurity-compliance-mappersecurity-offensive-securitysecurity-recon-attack-surface-strategistsecurity-qa
For responsibilities, handoffs, and usage examples, see the wiki staff guide and the canonical profile contract in docs/profile-setup.md.
Offline repository validation:
.\scripts\validate-repo.ps1./scripts/validate-repo.shRuntime smoke test after bootstrap:
.\scripts\smoke-test.ps1./scripts/smoke-test.shUse -Online / --online only when you want to send a real question to each profile using the configured provider.
This repository contains only non-secret configuration and sanitized public content. Do not publish .env files, tokens, sessions, memories, logs, real reports, or unsanitized evidence. See SECURITY.md and .env.example.
For external vulnerability or bug bounty work, report drafting starts only after a GO decision. RESEARCH means produce an impact-validation plan, and NO-GO means block submission and capture the lesson learned.
Canonical sources:
docs/kag-finding-validation.mdtemplates/finding-decision-template.mddocs/submission-followup.mdtemplates/submission-followup-template.md
MiniCISO can maintain a public, sanitized copy of selected runtime-safe artifacts without publishing private state. See docs/self-update-capability.md.
MIT. Hermes Agent is a separate project and keeps its own license.